iptables/extensions/libxt_HMARK.man

Like MARK, i.e. set the fwmark, but the mark is calculated from hashing
packet selector at choice. You have also to specify the mark range and,
optionally, the offset to start from. ICMP error messages are inspected
and used to calculate the hashing.
.PP
Existing options are:
.TP
\fB\-\-hmark\-tuple\fP tuple\fI\fP
Possible tuple members are:
.B src
meaning source address (IPv4, IPv6 address),
.B dst
meaning destination address (IPv4, IPv6 address),
.B sport
meaning source port (TCP, UDP, UDPlite, SCTP, DCCP),
.B dport
meaning destination port (TCP, UDP, UDPlite, SCTP, DCCP),
.B spi
meaning Security Parameter Index (AH, ESP), and
.B ct
meaning the usage of the conntrack tuple instead of the packet selectors.
.TP
\fB\-\-hmark\-mod\fP \fIvalue (must be > 0)\fP
Modulus for hash calculation (to limit the range of possible marks)
.TP
\fB\-\-hmark\-offset\fP \fIvalue\fP
Offset to start marks from.
.TP
For advanced usage, instead of using \-\-hmark\-tuple, you can specify custom
prefixes and masks:
.TP
\fB\-\-hmark\-src\-prefix\fP \fIcidr\fP
The source address mask in CIDR notation.
.TP
\fB\-\-hmark\-dst\-prefix\fP \fIcidr\fP
The destination address mask in CIDR notation.
.TP
\fB\-\-hmark\-sport\-mask\fP \fIvalue\fP
A 16 bit source port mask in hexadecimal.
.TP
\fB\-\-hmark\-dport\-mask\fP \fIvalue\fP
A 16 bit destination port mask in hexadecimal.
.TP
\fB\-\-hmark\-spi\-mask\fP \fIvalue\fP
A 32 bit field with spi mask.
.TP
\fB\-\-hmark\-proto\-mask\fP \fIvalue\fP
An 8 bit field with layer 4 protocol number.
.TP
\fB\-\-hmark\-rnd\fP \fIvalue\fP
A 32 bit random custom value to feed hash calculation.
.PP
\fIExamples:\fP
.PP
iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW
 \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
.PP
iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000
\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef